NordVPN discloses it suffered a data breach 19 months ago  

NordVPN confirms that one of its servers was breached last March but only just discovered it.
Image: Cody DeBos / The Burn-In

On Monday, the popular virtual private network (VPN) service provider NordVPN revealed that it suffered a data breach. The company explained that hackers compromised one of its servers last year. However, it believes that rogue operators didn’t access user credentials during the attack. Nevertheless, data security experts have expressed concerns about how the service protects its systems and user information.

Data Breach Details

According to NordVPN, unauthorized users gained access to a company server in Finland. A spokesperson said that the data center maintaining the server, which was encrypted with an insecure remote access system, left it vulnerable from January to March 2018. Consequently, hackers took advantage of the weakness to compromise the firm’s system last March.

NordVPN claims that the affected server didn’t contain user-created credentials or activity logs. While the service provider does note that rogue operators could have accessed the websites that its customers visited, the hackers could not have seen specific content accessed by subscribers. That data is encrypted differently.

Manage your supply chain from home with Sourcengine

NordVPN also claims the cyber-criminals behind the breach could not use the server’s data to breach its other systems. Nonetheless, hackers could’ve used their access to perform a man-in-the-middle attack on individual users. The company called that scenario unlikely as such an assault would’ve been “personalized and complicated.”

The company didn’t disclose how many users were or might have been affected. However, a NordVPN spokesman said that the breach only exposed subscribers who intentionally chose to connect to a Finnish server. The firm also notes that, while it discovered the hack a “few months ago,” it delayed making a public disclosure until it certified its network integrity.

Accordingly, the Panama-based company has determined that the breach only affected one of its 3,000 servers. Moreover, the firm has discontinued its relationship with the datacenter that left its network exposed.

Unsettling Implications

In February, PC Mag reported that NordVPN holds a dominant share of the virtual private network market. Indeed, the firm’s services have received glowing reviews from both CNET and Tech Radar. Moreover, the corporation has a robust advertising budget. It utilizes that funding to place commercials on many popular YouTube channels and podcasts.

The firm may, however, experience a decline in popularity following this data breach. NordVPN promotes itself with the pledge that it can “protect your privacy online.” However, KerbsOnSecurity reports that the firm got hacked because its servers weren’t secured with two-factor authentication.

Furthermore, TechCrunch spoke to a data security specialist who took issue with the firm’s business practices. The researcher said it is “deeply concerning” that the firm unknowingly suffered a “full remote compromise.” Moreover, the anonymous commenter implied that the corporation would’ve detected the breach sooner had it invested in “effective defense security.”

Indeed, several NordVPN customers complained that the firm should not have waited months to inform them of the breach. In fact, one user asked for a refund of their two-year service contract in the comments section of the company’s notification post.

While virtual private networks can be beneficial for journalists, activists, and security-conscious consumers, the public should always remember one thing about their providers. That is, no online-enabled service or database is genuinely impregnable.